locked
Enabling RemoteApp SSO with an ADFS v2.0 authentication on the Portal RRS feed

  • Question

  • Hi all,

    RemoteApp SSO works fine if I use an Active Directory repository to authenticate the users on the portal. But if I use the ADFS v2.0 authentication mechanism, RemoteApp SSO doesn't work anymore.

    Do you have any idea to make this scenario work ? In the RemoteApp Configuration UI, we cannot specify the authentication repository. So I assume that SSO try to use the LeadUser credentials. But with an ADFS v2.0 authentication on the portal, the LeadUser password doesn't exist...

    Thank you for your suggestions.


    Olivier Detilleux - Service Line Manager | Core Infrastructure Department - vNext http://www.vnext.fr - http://myitforum.com/cs2/blogs/forefrontsecurity/
    Tuesday, July 5, 2011 9:59 AM

Answers

  • Hi again Olivier,

    You're not wrong in theory, it's just not so easy, if at all possible, to put that theory into practice :)

    When UAG uses AD FS 2.0 for trunk authentication, the regular UAG pages and scripts are not used, so you do not have any opportunity to add a custom piece of code that would then be executed on the UAG server (to get the password associated with the user in the ADFS ticket) and then also executed on the client machine, to feed the user name and password into the RDS Web Access Control.

    Regards,


    -Ran

    Tuesday, July 5, 2011 3:20 PM
  • Hi Ran,

    You are totally right. Login.asp is not requested during an ADFS logon process on the portal. So regular script and expression are not executed. I think the only way to reach my goal is to developp some Custom Hook to execute what Login.asp should execute.

    Thank you for your help.


    Olivier Detilleux - Service Line Manager | Core Infrastructure Department - vNext http://www.vnext.fr - http://myitforum.com/cs2/blogs/forefrontsecurity/
    Thursday, July 7, 2011 12:06 PM

All replies

  • Bonjour Olivier,

    You pretty much answered your own question :). Indeed, when using AD FS v2.0 for trunk authentication, UAG does not have the necessary credentials needed in order to perform SSO to the RemoteApp.

    Furthermore, SSO to RemoteApps is very different than SSO to other web applications published through UAG. For SSO to web apps, UAG intercepts the response from the backend web server when it asks for credentials, and it injects the credentials, in one of several ways (Basic, NTLM, KCD or form-based authentication). But for RemoteApp SSO UAG needs to pass the credentials to a Remote Desktop Services component (not a UAG component) which runs on the client - the RDS Web Access Control. This is further reason that implementing SSO to RemoteApps in a UAG with AD FS scenario is not something that is currently feasible.

    Regards,


    -Ran
    Tuesday, July 5, 2011 2:06 PM
  • Hi Ran,

    Thank you very much for this very clear answer. I was hoping there was a way to inject a password in the LeadUser session cookie, or specify the UAG repository that send the credentials to the RDS Web Access Control.

    With a custom script, I can get the password associated to the user in the ADFS ticket. So if I can send this password to the RDS Web Access Control, it will be great. Am I wrong ?


    Olivier Detilleux - Service Line Manager | Core Infrastructure Department - vNext http://www.vnext.fr - http://myitforum.com/cs2/blogs/forefrontsecurity/
    Tuesday, July 5, 2011 2:27 PM
  • Hi again Olivier,

    You're not wrong in theory, it's just not so easy, if at all possible, to put that theory into practice :)

    When UAG uses AD FS 2.0 for trunk authentication, the regular UAG pages and scripts are not used, so you do not have any opportunity to add a custom piece of code that would then be executed on the UAG server (to get the password associated with the user in the ADFS ticket) and then also executed on the client machine, to feed the user name and password into the RDS Web Access Control.

    Regards,


    -Ran

    Tuesday, July 5, 2011 3:20 PM
  • p.p1 {margin: 0.0px 0.0px 10.0px 0.0px; font: 10.0px Verdana}

    Hi Ran (again :) sorry to insist),

    Here is how I got the password of the user authenticated with ADFS 2.0 :

    After logon on the portal, I have a custom PostPostValidate.inc that get the LeadUser (which is the claim value used as leaduser) from a SQL table. This SQL database is synchronized with Active Directory with FIM and PCNS (to synchronize password between AD and an encrypted column in the table). So, I have the Active Directory samaccountname and password of the user authenticated on the portal.

    RemoteApp SSO is working with an AD authentication on the portal. So, if (in theory), I can add the password to the LeadUser (authenticate with ADFS v2.0), can I feed the user name and password into the RDS Web Access Control ? Or is there an other way to store credentials that can be feed into the RDS Web Access Control (like SSO works with an AD authentication) ? 

    I think this is the last question :)


    Olivier Detilleux - Service Line Manager | Core Infrastructure Department - vNext http://www.vnext.fr - http://myitforum.com/cs2/blogs/forefrontsecurity/
    Tuesday, July 5, 2011 8:57 PM
  • Hi Ran,

    You are totally right. Login.asp is not requested during an ADFS logon process on the portal. So regular script and expression are not executed. I think the only way to reach my goal is to developp some Custom Hook to execute what Login.asp should execute.

    Thank you for your help.


    Olivier Detilleux - Service Line Manager | Core Infrastructure Department - vNext http://www.vnext.fr - http://myitforum.com/cs2/blogs/forefrontsecurity/
    Thursday, July 7, 2011 12:06 PM
  • You're welcome Olivier!

    Since I believe, based on some private discussions we had on this topic, you managed to find a solution, could you please mark this thread as answered?

    Thank you and regards, 


    -Ran
    Sunday, July 10, 2011 5:27 AM